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Introduction 


The ICO introduced the Sandbox service to support organisations who are developing products and/or services that use 
personal data in innovative and safe ways and where such products and/or services deliver a potential public benefit. In 
order to develop the Sandbox, the ICO launched the Sandbox as a beta phase, for an initial group of participant 
organisations during 2019 - 2020. The beta phase provided a free, professional, fully functioning service for ten 
organisations, of varying types and sizes, across a number of sectors. 


Organisations who were selected for participation in the Sandbox beta phase have had the opportunity to engage with us; 
draw upon our expertise and receive our advice on mitigating risks and implementing ‘data protection by design’ into their 
product or service, whilst ensuring that appropriate protections and safeguards are in place. The Greater London Authority 
(GLA) applied to the ICO Sandbox and was one of the candidates who was selected for participation in the Sandbox beta 
phase. 


GLA wished to use the ICO Sandbox process to support the development and enhancement of an already existing multi- 
agency data platform that they host (SafeStats). This would facilitate the use of a public health approach to violence 
reduction and align closely to the work of the London-based Violence Reduction Unit, helping to inform violence-related 
decision-making processes. The Violence Reduction Unit is a cross disciplinary department looking at the role of the public 
health approach to reducing violent crime. 


The GLA wanted to utilise a significant proportion of their time within the ICO Sandbox to review both their processes and 
documentation in respect of Information Governance and Information Security pertaining to SafeStats. They were keen to 
ensure that all the relevant and necessary procedures and requirements were in place (and documented accordingly), so as 
to enable meaningful negotiations with other agencies, of more detailed/disclosive public health data. The GLA wanted to 
demonstrate to both current and potential data providers that they were fully aware of, and compliant with, all relevant 
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legislation and governance and had sound procedures in place to mitigate any identified potential risks with the proposed 
data sharing. 


On 18 July 2019 the ICO attended GLA’s offices in London and met with the lead of the project, the GLA’s Data Protection 
Officer and the technical implementation lead. GLA acknowledged that the body of work required by this project would likely 
take longer than one year and a programme of actions was agreed for the Sandbox plan. 


During the course of GLA’s participation in the ICO Sandbox, the Covid-19 pandemic resulted in delays to the progress of the 
project and significant draws on the resources of other organisations also working to support broader public health aims in 
the capital. For this reason, some of the work which GLA hoped to complete before the end of the Sandbox participation has 
not yet been finalised. GLA have used this time to develop its policies and procedures and further improve its background 
understanding of the data protection issues resultant from tracking data points relating to violence as a public health issue. 


Executive summary 


The programme of work GLA wished to complete within the ICO Sandbox was designed to improve on already embedded 
good practice and build a framework for further ongoing compliance. GLA’s work was likely to far exceed the time available in 
the beta phase, therefore actions were designed to be repeatable and iterative. This was intended to help ensure a 
framework for compliance which can be effectively used going forward without additional support from the ICO. 


The Sandbox plan objectives included a review of existing data protection measures, an iterative review of data protection 
documentation, a technical risk review and a data sharing review and support. 


The GLA project does not attempt to identify or take action directly against individuals, however the data processed by the 
GLA for the purposes relating to SafeStats should be considered identifiable, as with the reasonable effort and resources of 
those within GLA who have access to the data, the data subject may be identified. This in turn raises further questions about 
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the ways in which GLA can support the data protection rights of individuals, including those at risk of being victims of or 
committing violent crimes. 


2.4 The SafeStats project and associated deliverables, challenge the way that violent crime and its associated factors are 
routinely looked at; proposing to align health and crime data for the purposes of analysis. GLA’s public health approach to 
reducing violence may: 


e help facilitate collaborative working; 

e reduce duplication; 

e improve continuity between services; 

e provide an insight in to why those who have been identified as high risk at an early age by public services still go 
through the system without appropriate action being taken; 

e identify where the confounding issues may lie such as reductions in funding for non-statutory interventive work and 
extensive waiting lists for mental health support; and 

e provide a more comprehensive and integrated understanding of violence. 


2.5 Ordinarily, analyses of violence are undertaken on the relevant data separately, in isolation from other relevant records. 
GLA’s SafeStats project hosts emergency services data and public health data on a combined platform, to enable a more 
comprehensive and integrated understanding of the intelligence picture. This shifts from an enforcement-led analysis of 
individual datasets to a more proactive and collaborative approach, which simultaneously analyses the data to inform 
intervention and diversionary activity. Ultimately this is done in a way to be within the public interest as it should reduce the 
number of violent incidents within London. The bringing together of data is still required to be done in a way which supports 
the rights of the data subjects and the security of the data. During GLA’s Sandbox participation, support was provided by the 
ICO in the development of risk assessments, document review and consideration of internal policies to help GLA effectively 
consider these issues. 


2.6 The use of predictive analytics and decision support technologies to assist in deciding when and where to apply services and 
early violence interventions, as well as who to apply them to, enables the GLA and other involved parties to move away from 
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what is otherwise a very time-consuming, resource-intensive manual process. This form of innovation is likely to result in a 
much more efficient and effective process. It is however still important that such activities take place with public support and 
scale up in a way which demonstrates efficacy and proportionality with the outlined aims. The work in the Sandbox has 
included externally commissioned research and stakeholder engagement, and research-based decision making to help 
support this. 


Product description 


Whilst in the ICO Sandbox, GLA proposed to explore its data collection and data analysis, relating to the impacts of violent 
crime. This data is stored within a platform known as SafeStats and over the course of the Sandbox participation, GLA 
wished to look at both expanding the currently held data sets within SafeStats and also to look at building a basis on which 
to further its projects analysing this data around specific themes. 


This work has taken place within the context of the Mayor of London setting up a Violence Reduction Unit (VRU) which is 
taking a public health approach to tackling violence. As part of this work, the VRU is required to better understand how public 
health and social services can be managed to prevent and reduce crime; with the focus being on early intervention. There is 
increasing interest from the VRU, the Mayor’s Office of Policing and Crime (MOPAC) and the Greater London Authority (GLA), 
for health, social care and crime data to be looked at in an integrated and collaborative way. 


The Sandbox project aimed to build on the existing SafeStats service run by the GLA, which brings together multi-agency 
emergency service data on crime and disorder within the capital and makes this available to authorised analysts in support of 
strategic planning, policy making and operations. These analysts are involved in crime and disorder reduction work and are 
primarily located in organisations external to the GLA; including the Community Safety Partnerships across London and the 
Metropolitan Police Service. 


The aims of the GLA Safestats project are as follows: 
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Reduced violence - The project aimed to support the VRU in tackling the causes of violence, and reducing its associated 
harms in London. The consequences, impacts and ramifications of violence are often widespread, manifesting in issues, such 
as increased social costs, physical injury, social isolation, and an increased fear of crime amongst vulnerable groups of 
people. The resultant benefits to individuals, their families and their communities of reducing the prevalence of violence and 
the associated risks are thus fairly explicit and extensive. 


Better public health - Violent crime has a complex relationship with health; known to negatively affect both people’s 
physical and mental health. Through creating an established and strong evidence-base for the predictors of violence, these 
risks can be mitigated, and the impacts minimised. Health inequality is a pertinent issue for public health and for crime 
reduction. The victims and perpetrators of violence are consistently reported to have higher health needs, and worse health 
outcomes across a range of measures compared to the rest of society. Through a better understanding of these health 
needs, the right health provisions can be provided at the right time to those that need them most; reducing health inequality 
and increasing the overall health and wellbeing of society. 


Better public services - The project will assist in the intelligence and evidence-led allocation of funding and resources to 
both the geographical locations most in need, and to the most vulnerable and needing groups within society. The 
optimisation of scarce resource deployment therefore results in a more efficient use of public funds, better service user 
experiences, and more effective and successful public services. 


The utilisation of the Project is dependent on GLA’s ability to source relevant data in a compliant way, to hold that data in a 
secure manner and further share the information whilst limiting the risk of exposing special category personal information to 
unauthorised individuals. GLA is currently working on encouraging further strategic data sharing with their current, and new, 
partners. Fundamental to the ongoing effectiveness of GLA’s work is trust and confidence both from its data sharing partners 
and the public. Increasing and expanding the data sets is likely to increase the risk profile of the data processing activity and 
GLA are currently working to mitigate these issues prior to increasing the functionality of the service. 


GLA defined three different stages of data collection and collation for their ongoing project. The first stage refers to taking 
the aggregate data to which it already has access and the provision of the data at a lower geographical level than currently 
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held, specifically what is known as Lower Super Output Area (LSOA). This stage concentrates on dialogue and data sharing 
with agencies and organisations that the GLA already has authorised data sharing agreements with, or those agencies and 
organisations that have the required data sets to be publicly available, albeit at an insufficient geographical level of 
aggregation. The next stages are specific projects which will look at thematic understanding of violence including Youth 
Violence and Domestic Abuse. 


Core to this service is SafeStats, the host site for the emergency services data, which is accessed directly by the permitted 
users such as Community Safety Partnership Analysts and Police Analysts external to the GLA, to query the data that they 
need. This site is hosted and maintained by GLA; with all included data based upon approval by the originating bodies such 
as Transport for London (TfL) and the British Transport Police (BTP). SafeStats is currently undergoing a significant 
redevelopment to improve functionality, usability, performance, aesthetics, and user experience. The scope of the Sandbox 
project was to look at a new service which is currently unnamed but is essentially a “SafeStats +”. The GLA project proposes 
to have an increased data set with more disclosable data at a lower geographical level, possibly at LSOA, and failing that at 
ward level. Whilst the current implementation does not aim specifically to identify individuals based on the data provided 
through the project, there a realistic possibility that the data could be combined with other data sources to uniquely identify 
the data subjects included and is therefore the reason the project is considered to involve the processing of personal data to 
be under the scope of the data protection legislation. 


Key data protection considerations 


Lawful basis for processing 


4.1 


The GLA aimed to consider whether the GDPR or the requirements set out under part 3 of the DPA 2018, that relate to law 
enforcement processing, would be applicable to its work, processing data relating to violent crime. At the initial stages of 
working with the GLA, the ICO requested that the lawful basis for processing be considered; it was then confirmed by the 
GLA DPO the GLA is not thought to be a competent authority for the reasons of law enforcement, as it is not listed in 
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schedule 7 of the DPA 2018, nor does it seek to enforce law enforcement or prosecute infractions of the law. Therefore, the 
GLA determined that any criminal enforcement data is to be processed in line with the GDPR (and part 2 of the DPA 2018) 
with the appropriate requirements. The ICO took the view that, for the purposes of GLA’s sandbox participation, it was a 
matter for the GLA to determine, based upon their own knowledge of the legislation, to which part of the DPA 2018 they are 
subject. 


The GLA determined that its lawful basis for processing under the GDPR was Article 6(1)(e) Public Task, which is defined in 
the legislation as “processing is necessary for the performance of a task carried out in the public interest or in the exercise of 
official authority vested in the controller”. 


This is because the processing relates to its duties set out in Section 30 of the Greater London Authority Act 1999 (as 
amended) that provides the Mayor with a general power to act on behalf of the GLA to do anything which he considers will 
further the promotion of social development in Greater London and to promote improvements in the health of persons in 
Greater London. 


As part of the Police and Social Responsibility Act, in 2011, the Mayor of London was given a direct mandate for policing in 
London, with the Mayor being directly responsible for policing performance, setting strategic direction and allocating 
resources through the Police and Crime Plan. The priorities identified for London all align to tackling violence and its 
associated issues; including violence against women and girls, keeping children and young people safe, and hate crime and 
intolerance. 


Similarly, where the processing of any identifiable personal data concerning the health of an individual constitutes ‘special 
category’ personal data under Article 9 of the GDPR, such processing must also meet the condition in paragraph 6, Part 2 of 
Schedule 1 of the 2018 Act (in accordance with the requirement in Article 9(2)(g) of the GDPR): “processing is necessary for 
the exercise of a function conferred on a person by an enactment or rule of law and is necessary for reasons of substantial 
public interest.” Paragraph 6 of Part 2 of Schedule 1 of the DPA 2018 (Statutory etc and government purposes) provides 
that: “This condition is met if the processing (a) is necessary for a purpose listed in sub-paragraph (2), and (b) is necessary 
for reasons of substantial public interest. 
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(2) Those purposes are (a) the exercise of a function conferred on a person by an enactment or rule of law; (b) the exercise 
of a function of the Crown, a Minister of the Crown or a government department.” 


Where any data is considered to be criminal conviction data and could require a condition to process data under article 10 of 
the GDPR GLA could rely upon the same condition as per paragraph 36 of part 2 of Schedule 1 of the DPA 2018. 


4.6 Further powers to process and share data relating to violent crime have been outlined in the Government’s Serious Violence 
Bill 2019, but have yet to become law. 


Commissioned research on public views to data sharing 


4.7 As part of the Sandbox work, GLA commissioned external research to better understand the public’s view on the sharing of 
personal data in respect of its public health approach to reducing incidents of violence. This consultation was completed in 
April 2020. The research particularly focused on those who were most likely to be impacted by violent crime as either victims 
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or perpetrators. Conducting this research has also helped GLA to comply with Article 35 (9) of the GDPR’, relating to seeking 
the views of data subjects where possible, as part of a data protection impact assessment. Where the GLA has not identified 
the data subjects specifically affected by the processing it has still sought those views from the most relevant sections of the 
public. 


4.8 The view articulated by the public in this research included a positive view of data sharing for the purposes of violence 
reduction, as well as a concern that data shared in such a fashion should only be used in ways which benefit the data 
subject. The subjects engaged in the research expressed views about specific data sets the public believed could be shared, 
such as data relating to health and schooling, and other data which they would not support the processing of, such as 
biometric or geolocation data. The research also highlighted the importance of ongoing communication of how these data 
sets are being used and the importance of piloting the data sharing to ensure that it is effective before rolling out more 
widely. 


t Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to 
the protection of commercial or public interests or the security of processing operations. 
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The ICO recognises that GLA have taken an important step by ensuring that the public views are considered, through the 
GLA’s initial research process. With respect to proportionality and necessity of processing, the ICO has worked with GLA in 
ensuring that the outputs of the research can be read across into the data protection work carried out by GLA within the ICO 
Sandbox. 


Significantly, this allowed the GLA to not only articulate which areas of data protection the public had the most concerns 
about given the specific areas of focus of the project; but also the general support for the activity in respect of the balancing 
of the rights of the data subjects against the wider public benefit of the data processing. The consultation has acted as an 
important step in ensuring the GLA is demonstrating the appropriate care and respect for the rights of the data subjects, 
whose data it seeks to collect and process. 


Consultation with stakeholders and data sharing practices 


4.11 


4.12 


At the beginning of its Sandbox participation, GLA aimed to clarify and standardise its existing data sharing documentation in 
respect of the SafeStats platform. On 11 September 2019, drafts were provided to the ICO for comment. This included a 
revised data sharing template, a data sharing pathway document and clarification as to the data controllership as a result of 
the transfer and further use of data. The final data sharing agreement template framework was comprehensive and lended 
itself to compliant data sharing activities. The templates and processes represented an encouraging starting point for the 
formation of ongoing Data Sharing Agreement’s (DSA’s) assuming that appropriate considerations are made regarding the 
legal basis and the necessity of the data sharing activity. 


After conducting the wider research into the public’s views around data sharing for the purposes of crime reduction, the GLA 
went on to conduct a consultation with the London Local Authorities to ensure that their proposed processing and data 
sharing would be effective for the purposes outlined, would be feasible to conduct and would not involve the collection of 
data above and beyond that which could be effectively used and required for the reasons of violence prevention. This has 
been productive in ensuring principles of data minimisation across the board and helped define what is possible as part of the 
Sandbox project. 
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The consultation allowed for an assessment of current provision of localised data sets and utility of such data to help 
understand what the current data recording is and how it can be improved. The Local Authorities were also able to clarify 
particular areas of concern and interest in respect of violent crime such as youth violence and domestic abuse with the hope 
that improved accessibility to demographic data was proposed to have several positive impacts across a broad range of 
aspects of violence work. This included, providing insight into the intelligence picture for violence, reducing reoffending, 
helping inform early intervention work, reducing repeat victimisation, helping to facilitate collaborative working, and helping 
with service provision/allocation. 


GLA has consistently sought out the best ways to understand its data processing in a holistic fashion, seeking to ensure the 
greatest level of utility of personal data as well as public benefit, whilst limiting the risk to the data subjects. The methodical 
approach to these consultations has seen the application of a rigorous practice of data protection principles to ensure that 
the legitimate aims are correctly specified in a specific and tangible fashion, that the processing is feasible and aims to tackle 
complex and emotive issues in the least invasive way possible. The work done by GLA demonstrates that data sharing in the 
public good can be achievable and conducted in a way which maintains a high level of data protection throughout. 


Using research to understand the implications of big data processing 


4.15 


4.16 


Due to the nature of data analytics and platforms which could be described as involving “big data” it is becoming increasingly 
important for organisations to fully consider to what extent they should be taking advantage of opportunities to collect new 
data or link existing datasets, ensuring that any data processing remains both proportionate and necessary to achieving a 
legitimate aim. 


During the course of the Sandbox participation, GLA took opportunities to further define the scope of what it hoped to 

achieve and base the work within the Sandbox around overall themes. Working with the ICO, the GLA has placed significant 
value on looking at the proposed issues prior to the processing of data, to ensure it has a relevant basis for the inclusion of 
the data within the data set. As part of this work, GLA has benefited from taking specific steps to understand the relevance 
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of the data prior to the processing activity taking place. These steps which GLA formed in the context of the Sandbox, are as 
follows: 


Clearly state the aims of the big data processing - GLA clearly articulated the aim of the processing and why it 
was currently needed, including for the purposes of understanding the strategic requirements of the violence reduction 
unit and its own current intelligence provision. From this analysis, several priority areas were articulated for further 
expansion of the data set. 


Make an assessment as to if/why currently available mechanisms are not effective - GLA has made an 
attempt to understand and quantify why its existing datasets would not be sufficient for addressing the priority areas. 
Including consultation with stakeholders and evaluation of the current utility of the data with respect to specific core 
thematic areas for further research. 


Use a rational basis for the inclusion of data in the big data set with the input of technical and subject 
matter experts - GLA has consistently sought the views of stakeholders to ensure it is looking at relevant data sets 
and has undertaken literature reviews to indicate the areas which may be most valuable for expansion. This has led to 
targeted and specific areas in which to focus their data analysis, to better serve the public without conduct of broad 
exercises in data analysis without thought as to the relevance of the data processing. Significantly GLA have reduced 
the risks of processing data unnecessarily that would be resultant from processing the data based upon an assumption 
that that creating larger datasets would automatically lead to better insights. 


Conduct a limited scope exercise - in the early stages, to ensure roll out will be effective, each additional piece of 
work carried out by GLA will be limited in geographic scope and will be time limited. Each of the new initiatives 
proposed by GLA have been described as pilots with limited scope tied to a thematic aim. This is to allow GLA to scale 
up as efficacy is proved whilst also reducing any of the risk associated to the data subjects. 


Reduction of readily identifiable information - all of this work has been conducted in such a fashion that data 
subjects are not readily identifiable and no action is taken against specific individuals on the basis of the work done for 
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the purposes of the data analytics work. 


Provision of transparency information when the data subject is not identified 


4.17 During its Sandbox participation GLA was required to determine the level of anonymity of the personal data being processed 
in order to explore its obligations under the GDPR. It was agreed that while GLA may be limited in its ability to identify 
individuals in the data set, individuals may still be identified by further processing of the data. This could happen if the data 
were to be triangulated, or “jigsawed” with other data allowing the deidentified data to be matched with a living individual. 
The ICO supported GLA to clarify the nature of the data and the importance of rights facilitation under the requirements of 
the GDPR. 


4.18 Given that the data is held in a format that could be identifiable it should be considered to be identifiable personal data and 
as such under the scope of the GDPR and therefore subject to the proper provision of individual data protection rights. 
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However, GLA is not required to re-identify data subjects in the data set as per GDPR Article 117, to help facilitate the rights 
of the data subject. 


4.19 GLA have gone on to create a documented assessment as to whether providing fair processing information to data subjects 
could be considered impossible or of disproportional effort under GDPR article 14 (5) b’. As this would not likely be possible 
in most cases, would represent a higher level of risk to the data subject and is not required to meet the aim of the 


2 If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the 
controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the 
sole purpose of complying with this Regulation. 

1Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data 
subject, the controller shall inform the data subject accordingly, if possible. 2In such cases, Articles 15 to 20 shall not apply except where the 
data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification 


3 the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving 
purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred 
to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the 
achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s 
rights and freedoms and legitimate interests, including making the information publicly available; 
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processing, GLA have considered that it would not be proportionate to re-identify and notify the data subjects directly of the 
processing. 


4.20 It was agreed that GLA should still ensure privacy notices are made readily available online as per ICO guidance on 
transparency, and a consideration to the risk to the implementation of the data subjects rights should be documented in a 
data protection impact assessment (DPIA). 


4.21 The GLA should consider all rights requests made in relation to the processing of personal data which are not manifestly 
unfounded or excessive. However rights requests should only be facilitated where information is provided to enable the re- 
identification of the data subject. GLA should consider the methods available to them ahead of processing in order to 
implement an appropriate process to ensure that rights requests are adequately responded to. These methods may included 
working with data sharing partners, and should not place an unfair onus on the data subject to provide information to 
facilitate their rights. 


Technical security considerations and conduct of DPIAs 


Page 17 of 21 


İCO. 


Information Commissioner’s Office 


4.22 Itis a requirement of UK data protection law that any processing likely to result in a high risk to the data subjects should be 
subject to a DPIA process. As the processing proposed by GLA was on a large scale and may contain information considered 
to be of a sensitive or a highly personal nature, both the ICO and GLA determined a DPIA would be relevant to the 
processing. An initial version of the SafeStats DPIA was drafted by GLA in August 2019. Iterations of the DPIA were reviewed 
by the ICO Sandbox during the course of GLA’s participation. An additional DPIA was also drafted and reviewed for the 
specific thematic projects that GLA proposed to undertake. While a single DPIA may have been sufficient for multiple 
processing operations of a similar nature as per GDPR article 35(1)*, the GLA considered the thematic projects to be different 
enough in nature to be supported by a separate DPIA, to enable a better understanding of the risks involved. This was 
supported by the ICO, with any information relevant to both DPIAs contained in each DPIA separately. 


4.23 In general, a DPIA process should include an assessment of any risk to the rights and freedoms of the data subject resultant 
from the data processing. This may include a data subject not being able to action their relevant data protection rights such 


4 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the 
processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out 
an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set 
of similar processing operations that present similar high risk 
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4.25 


4.26 


4.27 


as the right of access as defined by data protection legislation, or their broader rights to privacy and equality. During the 
course of the risk assessment, particular attention should be paid to the security implementation of the data processing 
activity, including measures to improve the confidentiality, integrity or availability of the personal data involved in the 
processing. 


GLA has sought to document these considerations within the DPIA, including the proportionality and necessity of the data 
processing it is undertaking. This has included a thorough documentation as to how the new approach is materially more 
effective to achieving its aims than not processing personal data at all. It establishes the legal basis for processing and 
documents the relationships, legal and organisational measures in place between itself and its partner organisations to 
ensure that the rights of the data subject are upheld. 


In early drafts of the DPIA it was agreed that the risk assessment element of the DPIA could be more specific and have 
clearer and more granular detail as to the risks and nature of the mitigations in place to reduce those risks. Whilst it was 
originally envisioned that a full scale, on-site, assessment of GLA’s operational security be conducted as part of the Sandbox 
process, this was not possible due the impact of Covid-19. GLA have instead sought the ICOs view on risks that may be 
associated with the processing and documented these in its DPIAs. 


Unlike a cyber security assessment, which considers the risk from an organisational perspective, the DPIAs were primarily 
concerned with any impact on the data subject and in particular any distress or harm they may suffer as a result. This should 
cover the risk of a single breach of personal data and how that may impact a particular individual and also the possible scale 
of interference to multiple individuals of a wide-ranging breach. Risks in this assessment included the risk of misuse of data 
by a user, the risk of re-identification of a data subject in the data set and risks relating to the secure transfer of data from 
stakeholders to GLA. 


The GLA has iterated on the DPIAs during the course of the Sandbox participation, as changes have been made to projects 
and new information has been gained from consultation and strategic processes. In any event, iteration of DPIAs can be 
helpful and should be considered good practice as the security requirements of any system will be dependent on the context 
in which that system is used. The overall security of the organisation will also have a bearing on how secure the individual 
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system is and without that holistic assessment, there may still be significant security issues relating to the processing of the 
personal data within any given system. GLA have a wide range of established governance and security policies in place to 
support the mitigation of these risks which have been documented but not fully assessed within the scope of the Sandbox 
participation. 


4.28 As SafeStats continues to be improved or new thematic areas are explored which require more data for GLA to conduct its 
activities, GLA should continue to revisit its risk assessments in particular in relation to the risk of re-identification. 


5. Ending statement 


5.1 The SafeStats data portal brings together data from many sources and provides access to these data in a secure way to 
different types of authorised users. SafeStats has been around in different iterations for around 20 years. During this time 
there have been massive changes in the national understanding of and approaches to this data sharing which impacts on 
governance frameworks. Changes in policy relating to crime and violence require access to a wider range of datasets than 
those held in the past and these add to the complexity of the portal governance. 


5.2 The Sandbox experience has afforded GLA with a neutral space to review in greater depth all the processes and 
documentation associated with the SafeStats system: to provide clarity on their compliance with all the relevant legislation 
and ensure all documentation was completed robustly. As a result, GLA have a much greater level of assurance and 
confidence around legislative compliance when making approaches to both new and existing data providers. 


5.3 The Sandbox has provided GLA with the opportunity to engage in meaningful dialogue with the ICO and other key 
stakeholders regarding the differing roles and aligned obligations under the GDPR legislation, the implications on the rights of 
data subjects in de-personalised datasets, an exploration of the feasibility and benefits of the GLA appointing a Caldicott 
Guardian, and how to best utilise engagement and consultation to assist in our rigorous enforcement of data protection 
principles. 
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5.4 GLA’s participation in the Sandbox proactively demonstrates to the public, stakeholders and data-providing organisations 
that they are cognisant of legal requirements in handling, processing and sharing of personal data; with the relevant and 
necessary procedures and requirements in place. GLA have demonstrated awareness of the full array of potential risks to the 
data processing activities, and have developed and continue to develop sound procedures in place to mitigate these risks and 
new potential risks. All these activities have helped GLA to understand how they can assure others, external to the GLA, that 
the handling of data is both legal and ethical, and that GLA can build effective procedures for the appropriate handling of a 
wider set of data. 


5.5 The Sandbox has placed GLA in a strong position to iteratively develop both our data-sharing/SafeStats policies and 
procedures to address future developments. 
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